Gervase Markham

Main menu

Post navigation

New Short-Term Patch For IDN-based Spoofing

Darin Fisher, network supremo, has pulled it out of the bag and come up with a less drastic short-term solution to the IDN problem. It has just been checked in for all three upcoming releases. Read about it over in bug 282270, but basically IDN will still work, but all occurrences of IDN domains in the browser UI (URL bar, security info etc.) will be the punycode form. There is a pref to re-enable full IDN – set “network.IDN_show_punycode” to false. As with the previous plan, this preference will be set to true in all official builds.

As I’ve said in previous blogposts, turning off IDN entirely was always an suboptimal solution, and I’m very pleased we’ve managed to find a third way. The search goes on for something better long-term – I’m sure you’ll all agree that, while showing the punycode domain all the time solves the immediate spoofing problem, the fewer browsers out there that do it, the better.

Could I please add a plea that before anyone posts comments on bugs or blogposts suggesting their incredibly simple idea for solving the issue completely, could they please read at least some of the previous posts, bugs, discussions and papers written about the subject? Thanks :-)

[Sorry for the shameless double posting, since I’ve posted this in your previous IDN spoofing thread before noticing this new update, and then I thought its place was here and not there :) ]

Why not have, by default, different fonts for different types of characters?

I’m using Bitstream Vera Sans for my UI, and when I tried that paypal site I noticed the first a was different, not sure if it is because the font itself doesn’t have that character or because it has different a’s. But I had a visual warning.

Anyway, with the current setup FireFox uses the font set in the OS for the adress bar. If, instead, it would use the fonts in the fonts settings for Firefox, and by default ‘Western’ and ‘Unicode’ were set to be visually different fonts, and finnaly when the user tried to set up the same font for both ‘Western’ and ‘Unicode’ a warning would pop up about the danger.

Then we would have some visual warning equivalent to payppal.com passing has paypal.com. Which means, it’s not perfect, sometimes people would miss them, but it would be has easy to spot as payppal.

Shouldn’t ICANN simply find the domain
names that would spoof popular domains
and block them from being registered?

Please, no! ICANN is already expert at restricting and revoking domain names based on (real or imagined) conflict with domains owned by more powerful people or companies. Don’t give them another excuse.

I, living in Eastern Asia, believe this solution is really bad. Changing font is difficult, I understand, but how about colors, font sizes or styles, such as italics? How about showing punycode in tooltip or something at the same time of showing IDN? In this situation, we are not protected from IDN-to-IDN phishing domains because all has some punycode and distingushing phishing punycode domain name from non-phishing one is very much harder than distinguishing phishing IDN from correct one. At least we must see both non-punycode domain name and punycode one at the same time to be sure we are not phished.

I think people somehow misunderstood my previous entry about disabling IDN support in FireFox. It was written right after Mozilla announced they would disable default support for IDN, and before they changed that to just display IDN domains as punycode.